Posted
by
timothy
on Thursday May 28, 2009 @04:08PM
from the fine-line-between-clever-and-stupid dept.

An anonymous reader writes "A Turkish hacking ring has broken into 2 sensitive US Army servers, according to a new investigation uncovered by InformationWeek. The hackers, who go by the name 'm0sted' and are based in Turkey, penetrated servers at the Army's McAlester Ammunition Plant in Oklahoma in January. Users attempting to access the site were redirected to a page featuring a climate-change protest. In Sept, 2007, the hackers breached Army Corps of Engineers servers. That hack sent users to a page containing anti-American and anti-Israeli rhetoric. The hackers used simple SQL Server injection techniques to gain access. That's troubling because it shows a major Army security lapse, and also the ability to bypass supposedly sophisticated Defense Department tools and procedures designed to prevent such breaches."

They used to work for the US mil, but hated it so much.
Now they sell their skills back at 3X the price as contractors and do not get treated like trash.
Small tip, US mil, treat your men and woman right.

Well said. If GP was correct, the US wouldn't have much to show for the trillions it spends. Since they have the capability to destroy the planet several times over, obviously the money was well spent.

How about this then: In 1965, we had the capability to destroy the planet several times over in a matter of a few hours. In 2005, we had the capability to destroy the planet several times over in a matter of a few hours. What exactly did we gain for our trillions of dollars spent between 1965 and 2005?

The ability to narrow it down a bit. As much of a deterrent it is to be able to vaporize the planet, it is much nicer to vaporize the bits you want and say not vaporize your own family in the process of vaporizing your enemy.

weapons age and must be refreshed, much like computers.target acquisition systems get better and should be upgraded/replaced (now we can destroy the world several times over to a precision of < 1m Vs ~1Km)enemies get better defenses requiring an increasingly better offense to stay at parity.

How about this then: In 1965, we had the capability to destroy the planet several times over in a matter of a few hours. In 2005, we had the capability to destroy the planet several times over in a matter of a few hours. What exactly did we gain for our trillions of dollars spent between 1965 and 2005?

Well said. If GP was correct, the US wouldn't have much to show for the trillions it spends. Since they have the capability to destroy the planet several times over, obviously the money was well spent.

You lost Vietnam war and haven't captured Osama yet.

Besides, how do you know the US has the capability to destroy the planet several times over? The army can't be trusted to be unbiased on their reporting, because they have an obvious incentive to make it seem that funding was well-spent rather than wasted, e

No, but it provides excellent fodder for anti-military rhetoric. I find people on far ends of either political spectrum completely abandon any semblance of using logic or reason in favor of just being an inflamatory fountain of stupid.

I know you were going for funny, but it's true. If there any real uberhackers out there, someone would've dropped some serious ordinance on the White House by now. Or the Knesset. I'd even accept Rush Limbaugh or Rosie O'donnell. But some pokey low-importance defence servers? Yeah, amateurs.

Actually, if someone did a show-stopper like that it would be a bad thing for everyone. It would provide the impetus for the Internet to be split up into separate non-connected networks and walled gardens. These wouldn't be "mere" firewalls, these would be networks that would be either running a new (or old) network protocol (IPX is an example) or a non routable protocol such as NetBEUI (Don't confuse NetBEUI with NetBIOS... NetBEUI is the transportation and is obsolete, as TCP/IP has completely taken over that communication layer function over) or Appletalk.

Right now, a black hat can sit at his/her computer, and connect on the same network to virtually anything. Should people get too upset and knee-jerkish about a War Games scenario, he or she would have to spend a lot of time and effort trying to get gateways working to networks that have completely different protocols (IPX, VINES) in the effort to try to attack machines.

Compared to the past, a dedicated cracker just needs to focus on a relative small part of an OS or a service like Apache, IIS, or SQL Server for great gains. In the past, one had to jump from DECNet to BITNET to NSFNet, perhaps doing through multiple UUCP hops if the boxes were moving mail via store and forward and mdoems. Almost no host or network was the same as another, so a generic "script kiddy" who could run a prepackaged toolkit against a random company didn't exist back then.

Yes and No. If I want to have a program that I pass SQL queries to and it returns either safe or unsafe that is not a computable problem. There is no way to tell if a query is good or bad without context. That being said there are things like prepared statements that give the statements context, that is explicitly stating which parts of the query are control statements and which are data.

In a simple system you are correct but in a system of even moderate complexity telling if code is vulnerable to SQL in

Yes and No. If I want to have a program that I pass SQL queries to and it returns either safe or unsafe that is not a computable problem. There is no way to tell if a query is good or bad without context. That being said there are things like prepared statements that give the statements context, that is explicitly stating which parts of the query are control statements and which are data.

In a simple system you are correct but in a system of even moderate complexity telling if code is vulnerable to SQL injection becomes non-trivial. When you have to dig through 5 levels of inheritance several times to hunt down all the places where the query is actually formed it's not all that simple.

Perl taint mode. Sure, it it conservative, but if taint is complex enough that it does work, then I wouldn't trust a person to get it right with 100% accuracy.

Well, before they started calling it SQL injection, it was just invalid input. Since I was programming for an audience of millions, if even 0.1% of them were script kiddies, and 0.01% of them were good, my servers would have a life expectancy of days at most.

The way to protect against sql injection is not to "validate external input." It is to pass the external input to the database after telling the database what that external input should be representing (sql parameterization). Let the database decide if it is valid or not.

If you try and reinvent the wheel in every app, you will certainly make a mistake at some point. The guys who wrote the DB know more about this than you do; let them handle it.

Why would anyone let the website run with DROP TABLE or any other high level permissions? Shouldn't the website be using credentials with read only permissions. Maybe after the user logs in they can update their one record. Not anyone other record.

(Here is where I will be flamed to oblivion)Or is this another case where the web dev says that they need full god rights on the DB server?

You should always run with just the permissions you need to get the job at hand done. Nothing more ever.

It is not people still writting such code, it is people still using such code. A website that has accumulated information and that has been working correctly for 10 years is not something most people are willing to rewrite.

It's the fault of subpar developers. I have some of them in my company, tried to teach them, but nothing works. I still encounter some bad queries here and there in their code. Add lack of ANY programming/indenting style and you have today's web programming.

"Equally troubling is the fact that the hacks appear to have originated outside the United States. Turkey is known to harbor significant elements of the al-Qaida network. It was not clear if "m0sted" has links to the terrorist group."

Their tactic of having two or more 6-7 year old girls say in perfect unison "Would you like to buy some girl scout cookies" is diabolical. This overloads one with their cuteness causing loss of some higher brain function. Which compels one to buy these cookies.

I'm just playing devil's advocate but who puts their public website inside their defences?

Who says it's behind their real defenses?

Look, it's a web server on the Internet. It's gonna need at least a firewall. Just like if they used Rackspace to host it and you were behind Rackspace's firewall. But there's also gonna be additional defenses for other systems.

And, btw, anything that's on the server is gonna be unclassified or somebody's goin' to jail regardless of the breach.

My point was less about the severity of the compromise and more about the nature of it being on "US Army Servers." I was just trying to show the distinction between the public facing kind of "US Army Servers" and the behind the scenes equipment that one might hope was secure.

SQL injections are fairly common, as have been buffer overflows. But while companies have responded to buffer overflows by making better compilers, better frameworks, and even new CPUs there has only been a slow crawl to a better way to

Some frameworks support Parameters but they're still largely rare (both usage or support) with most people still attempting to write SQL statements with data embedded directly

Are you seriously that clueless? Most relational database APIs have had parameterized query support since before what I'd think is the majority of slashdot had god damn computers. The only mainstream programming language that has lagged in its adoption (they were there, just not as visible as they could until the later versions) is PHP

Yeah. If you read about all of the shit the military keeps secret for decades, something tells me that information week wasn't able to pull something the military didn't want to give.

So, what would you do if you wanted to learn the technical capabilities of the enemy? Try to hack into their location, or set up some seemingly vulnerable services and watch what they do? Double bonus: "leak" the break-in (wink wink) to Information Week and see what kind of celebration activity you can see on the lines. Hell, I

Seems we don't have to know much about the situation to know one thing... a "major Army security lapse" is more like, say, strategic radio comm in the clear, close enough to be intercepted by the enemy, and results in casualties.

A public facing website that gets script-kiddied by some asshat from Turkey that thinks exploiting a site by SQL injection is Uber-L33t is not a major lapse. I'm pretty sure this is not weighing heavily on some 5-star's mind.

The US military is pretty much incapable of fighting a guerrilla war where the combatents are intermixed with civilians and civilian casualties are forbidden. It made Vietnam very difficult and it has made Iraq difficult as well.

What we have is a guerrilla war against hackers where they are effectiely shielded in most cases by the ISP and their own country's law enforcement. The end result is almost an unwinnable war.

We are winning in Iraq by ending the use of civilians as shields. We won in Vietnam by separating the combatants from the civilians. It is going to take that sort of effort to win against hackers, crackers and identity thieves. Unfortunately, right now the effort required to do this is intense enough that it is many, many times the losses so far. So I don't think they are going to do anything until the losses mount up a lot more.

What makes this worse is in order to effectively combat these people it is going to take either the cooperation of foreign law enforcement or just going around them. Neither one is going to make these other countries want to be our friends, but they seem to be happy with the hackers running around doing whatever.

the goals in iraq and vietnam are different than that on the web. in irag and vietnam you have to go out there and police the countryside. on the web, you just have to hunker down and prevent intrusions. its the difference between riding out into the countryside and battening down the hatches on the castle. its a lot easier to secure a castle than police the entire countryside

its the difference between riding out into the countryside and battening down the hatches on the castle. its a lot easier to secure a castle than police the entire countryside

Your analogy is flawed... Although you are right, that "policing the countryside" is difficult, securing the castle is very hard too, when you aren't allowed to pursue the repelled attackers. And, as far as I know, most of the military's tactics and doctrines rely on retaliating (or a threat thereof) as a deterrent.

What we have is a guerrilla war against hackers where they are effectiely shielded in most cases by the ISP and their own country's law enforcement. The end result is almost an unwinnable war.

What you have is a few teenagers writing graffiti on the army bulletin board located outside the base. And yes, the War on Vandals is likely unwinnable. However, you might try declaring War on Exaggeration.

We are winning in Iraq by ending the use of civilians as shields. We won in Vietnam by separating the combatants from the civilians. It is going to take that sort of effort to win against hackers, crackers and identity thieves. Unfortunately, right now the effort required to do this is intense enough that it is many, many times the losses so far. So I don't think they are going to do an

Excuse me? The US did not win the Vietnam War, unless the US was aiming to make Vietnam a communist country and have lots of casualties.

Changing wording to create fiction in the hope that somebody gullible will hand over some cash is not the way to fight this increasingly organised and increasingly common criminal activity, but unfortunately that is how the current head of the NSA and others scrambling for funding are doing it. One such idiot full of cyberhype recently showed he knew less about Trojans than anyone with even a passing knowlege of european culture let alone a computer professional (ie. the Trojan horse lets the other nasty s

That's doubtful at the best of times, but for the sake of argument entertain you.

by ending the use of civilians as shields.

No you haven't. There hasn't been any noticeable decrease in violence, just less reporting of it. Just because the US army has the media on a tight leash doesn't mean that you're winning, in fact this is about the only lesson the US armed forces learned in Vietnam and in my opinion the most useless one taught.

Continuing the military analogy... What great battles have been won purely by defense? Denying yourself he ability to "reach out and touch someone", will always give the advantage to those who seek to blow you up -- or to bring your server down.

but as it stands now, a bunch of teenagers are thoroughly and repeatedly trouncing the us military

Not really. Do you have any idea just how many computers have.mil addresses? If somebody screwed up on the configuration for an infinitesimally small percentage of them, that's still a lot of systems open to attack. And the script kiddies will get lucky.

But the US military also doesn't talk about their own "cyber" offensive and defensive capabilities for obvious reasons. Which leads to the erroneous presum

the battle on the web is one of image and a communication capability and integrity. if the enemy can thoroughly trounce the image and capability of the military on the web, then that is a battlefield which is a valid battlefield and which has been won by the enemy. you thoroughly reject the validity of this battlefield. you are thoroughly wrong and woefully behind the times

your allegory of spraypainting graffiti on fences is inaccurate. it would be more accurate to say every flag in every corridor were turn

> if the enemy can thoroughly trounce the image and capability of the military on the web,

Another variant on this "lawfare", where you use the laws of a country against them. Boumediene v. Bush [wikipedia.org] is prime fodder for this.

Along the lines of what you were saying, Robert Coram's book about Medal of Honor recipient Colonel Bud Day [militarypr...glists.com] talks about how the North Vietnamese would show the POWs videos from back home to show that resistance was hopeless - e.g., John Kerry's testimony before the Senate. Same kind of t

Some companies do not consider you to have done due diligence if you do not lock up. That is why I always lock the doors of rental cars, even though I don't lock my car's doors. I would also check your homeowners insurance policy for door locking.

I don't lock my doors as night, but I do consider my security system secure. If anyone touches the door handle after 8:00pm, it triggers a shotgun that blows their head off. You wouldn't believe the piles of dead robbers we have in my garage!

It appears the servers in question were used for serving up web sites. Probably publicly-facing web sites. So, what sensitive information was at risk? There are already regulations about what content can be approved to sit on a DoD server with a publicly-facing web site.

Slashdot requires you to wait longer between hitting 'reply' and submitting a comment.

It's been 17 seconds since you hit 'reply'.

Chances are, you're behind a firewall or proxy, or clicked the Back button to accidentally reuse a form. Please try again. If the problem persists, and all other options have been tried, contact the site administrator.

I don't know what I've been toldBut Army server's are quickly pwnedYou don't need some high-tech decryption machineJust a string with a semi-colon in betweenI don't know what I will findWhen good Army hacker's have resignedWe'll have a good laugh when some bored kid in ChinaPosts photos of Gen. Petraeus with a vagina

Ok so someone defaced a website used by the US Army. How do we know that the website is not hosted by a 3rd party provider? Also how are we sure that sensitive information and the website are on the same network? Also the army may not have codded the website so it could have just been piss poor coding by a 3rd party web developer and not the contractor who codes the programs that control the sensitive information.

In other words just because the front end website for the Army got defaced that means nothing. It is like defacing the IRS website. It means nothing till you have peoples tax returns being rerouted to your personal bank account.

Turkish hackers are well known to compete on mass defacement contests.

When preparing a contest, they scan all IPs to locate vulnerable sites.When the contest starts, they deface the maximum number of sites in a given amount of time (probably one hour in this case).They always go for the quickest way to hack a site, and so, they are not really hackers but script-kiddies.

TFA is completely bullshit, since the hackers don't care about the content of the sites.

Web server page redirection? Should that scare me? I mean, it's not quite as if somebody smuggled munitions or fired a weapon.
"Oh...but the breach reveals the military's vulnerability."
Does it? To what?
Answer: To webserver page redirection.
Might there be greater risk here? Perhaps. But no evidence was presented to indicate that. Get back to me when you've identified a MATERIAL RISK, not merely a TECHNICAL VULNERABILITY.
As for those of you who have hopes and expectations that ALL THINGS MILITARY will be secure...WTF?

I agree, this is like "infiltrating" the coffee-break room of the Army recruiting station at your hometown strip mall. It's not great, but it's not that big a deal. I'm not sure I want the DoD investing the (taxpayer) resources to make sure nobody ever, ever defaces their website again.

"Oh...but the breach reveals the military's vulnerability."Does it? To what?Answer: To webserver page redirection.Might there be greater risk here? Perhaps. But no evidence was presented to indicate that. Get back to me when you've identified a MATERIAL RISK, not merely a TECHNICAL VULNERABILITY.

The military has to look at an opponent and asses capabilities.Not actual abilities, but possible capabilities.

So while you say "technical vulnerability," a security oriented person says "everyone who visited that web page could have been thoroughly pwned with trojans". If that doesn't qualify as a material risk, what does?

As for those of you who have hopes and expectations that ALL THINGS MILITARY will be secure...WTF?

Users attempting to access the site were redirected to a page featuring a climate-change protest.

OHNOES! They breached the admin net!

There's a reason why the protected A/B network is accessible to the intarwebs and the L2 or higher networks are not. This may be interesting from a hacktivism standpoint... but it's not terribly newsworthy... or, at least, it's not got nearly as much shock value as the summary purports it to have.

SQL injection is hardly "a security vulnerability in Microsoft's SQL Server database." SQL injection is a result of badly written code. Nothing more. There is never an excuse for that to occur, even in environments where security isn't the top priority.

The whole article feels a bit off to me. I get the sense it was written by somebody with little technical cluefulness. I particularly like the line about "sophisticated Defense Department tools and procedures designed to prevent such breaches" followed by a sentence identifying AV software. Written by a dummy, for similarly intelligent people, perhaps?

You are wrong on so many levels. If you can't even bother to protect against simple things as SQL injection, I have a nasty feeling about the overall security. Why aren't classified information on a separate network, not connected to the Net? Please: this is not 1980 anymore - protect critical information seriously.

How do you know that classified intelligence was even obtained? Why are you even assuming that the security of these servers, an ammunition plant and the Army Corps of Engineers no less, will have the same security as that of the Pentagon? Did it ever occur to you that perhaps the Army would appropriate security based on how vital their assets are?

Um, I'd say that any website from a personal website with nothing terribly important on it to the system used to launch nuclear weapons should guard against something as simple as SQL injection. Now, you might not want to have passwords 468000 characters long for a lower security website, but surely blocking SQL injection is something all websites should guard against.

The US military has a (well, many) classified network and an unclassified network. All computing equipment has a little sticker on it that says that equipment is used for which (classified or unclassified) purpose. I'm sure that the hacked web servers all have a little blue sticker with white text that says that the server is to only work with unclassified info (websites, most likely). I wouldn't really call this a security breach any more than I'd call shoplifting a robbery. While yes, the web servers were indeed "hacked", its not like that webserver was hosting top secret plans in pdf form for distribution purposes.

The important part was "Beyond the redirects, it's not clear whether the group was able to obtain sensitive information from the Army's servers. "

They didn't get any "sensitive" information. Sure as heck they didn't get any classified information. They breached a public web site, hosted on a public network. I seriously doubt the server was even physically close to any classified information, much less attached to a network with any, or contained any itself.

Sensitive does not mean classified. Sensitive could be as simple as a change in the dinner menu at the chow hall, which could suggest the arrival of important personnel. Classified information would not even exist on networks accessible via the internet.

That is not true. When you work for a military contractor you would be amazed at the amount of classified information which is available on the shared drives.

No--it is not directly available to the internet, but how many exploits does it take to hijack a browser and gain a command prompt or a vector to the injection of bytecode? How about hijack a browser and progressively insert holes in the compromised system until a backdoor can be opened? Sure, going to www.military-contractor.com and trying to force

Sorry Charlie, but clients with classified data are physically separated from the public internet. USB ports and other sneakernet outlets are 9should be) disabled. The folks that take care of the important stuff aren't stupid and are highly paranoid.

The folks that take care of the important stuff aren't stupid and are highly paranoid.

Not sure where you're getting your facts from, but from my years in the military I'd venture to say that you're a bit overconfident.
There are plenty of ways for sensitive data [salon.com] to find its way into the hands of outsiders.

Yeah,
I used to work at a defense contractor and classified systems are on separate networks, and to my knowlege are universally separate from anything connected to the internet.
sensitive is the lowest (or maybe second lowest?) classification, so breaking into "sensitive" servers isn't a particularly big deal, although I guess they might eek something useful out of it. Is our biggest fear that attackers might learn the inner secrets of publicly available government websites?
basically anything that they

Sensitive information is likely FOUO and definitely NOT classified. As others have already pointed out, if a user somehow posted classified information on that server, they would find their ass in a sling PDQ. Classified information is always always always on a separate network. Because the most secure network is one that cannot communicate with the outside world.

I use to work for one of the larger defense contractors and the information that was considered vital to system to design or classified as at least secret were usually on separate servers that were not connected to the internet.
I know on several occasions when sensitive information was sent across the internet it was done on a special computer.
I've also seen instances where the information was not allowed to be on a computer at all.

People bitch about the MS tax, and go pirate Windows and Office for their home computers, but that doesn't even make a dent in their income. They make HUGE money off government and corporate contracts.